Home / Robin's Newsletter

Robin’s Newsletter #86

 Vol. 3  Iss. 6  09/02/2020, last updated 06/04/2020   Robin Oldham  ~6 Minutes

This week

Man creates traffic jam on Google Maps using a cart full of mobile phones

Pablo Picasso is credited with saying “art is a lie that makes us see the truth,” and artist Simon Weckert brought to life our reliance on algorithms with a great art installation this week.

“[He] walked the streets of Berlin tugging a red wagon behind him. Wherever he went, Google Maps showed a congested traffic jam. People using Google Maps would see a thick red line indicating congestion on the road, even when there was no traffic at all.”

The story itself is gleefully simple, going by my LinkedIn post, capturing not just my, but plenty of other’s imaginations too.

It’s a great example of the importance we place on the integrity of data - rather than confidentiality aspects seen in data breaches and availability from ransomware incidents.

It also highlights the unquestioning reliance we place in systems every day, each component of which is worked on by a minuscule team compared to their global user base. I’d hazard a guess that the team behind Google Maps’ routing engine is no more than two-digits. Over 1 billion people use Google Maps each month.

The Glass Cage is a great read if you want to delve deeper into the world of algorithms, automation and AI. In it, author Nicholas Carr takes a look examples of automation bias and automation complacency. “As computer systems and software applications come to play an ever larger role in shaping our lives and the world, we have an obligation to be more, not less, involved in decisions about their design and use.”

To that end, Hemant Taneja’s blog post in Harvard Business Review is well worth a read too: ‘The era of “Move Fast and Break Things” is over… “minimum viable products” must be replaced by “minimum virtuous products.”’

There are plenty of interesting new fields of study emerging around data ethics, privacy and artificial intelligence, like ‘how do you teach an AI to forget?’ (vol. 2, iss. 24.) In a time when ‘software is eating the world,’ there perhaps a lot more we can all learn by spending time looking at the lies told to us by artists. Thank you, Simon, for walking around Berlin with your cart full of mobile phones! vice.com, The Glass Cage (amazon.co.uk), Minimum virtuous products (hbr.org)

Interesting stats

10.9% of IT budget is spent on cyber security programmes, according to Accenture. Plenty more, involved, stats in their State of Cybersecurity Report 2019 accenture.com

48% of Chief Information Security Officer’s admit that job-stress has affected their mental health, 23% said they are relying on medication or alcohol as a coping mechanism, according to Nominet.

If you need help managing work-related stress, check out UK-charity Mind’s info.

Also in the Nominet survey, 97% of C-Suite executives said that the security team could improve on delivering value for amount of budget they receive scmagazine.com

4x increase in the number of objections when penetration test tactics used against themselves techcrunch.com

36% of UK SMBs rely on senior management to make the call of what, and when, to patch software, according to Sophos zdnet.com

1,000+ cases of technology theft ‘by China’ being investigated by FBI zdnet.com

Other newsy bits

IKEA’s ‘Data Promise’

Hat tip to @JessicaLennard and @ProjectsByIF for sharing a really interesting video with Barbara Martin Coppola, IKEA’s Chief Digital Officer, about how they are redesigning the way that IKEA use their customer’s data, putting visual explanations and controls in context to help user’s better understand and make informed decisions. Neat! youtube.com

Iowa’s Democratic caucus was a tech disaster

A new app was commissioned to capture and report results from the districts voting on Democratic presidential nominees. While it wasn’t hacked, its security posture wasn’t great (see Vice Motherboard), and is a catalogue of examples of how not to do things - be it from user-centred design, security, or continuity plans. User needs were poorly understood and training was minimal, aspects of the app were kept a close secret ‘to keep it safe from cyber-attack’ (security through obscurity is a fallacy), and then the business continuity plans were disrupted because Trump supporters flooded phone lines with spam phone calls. (They’d also reduced the number of support lines because ‘the app will streamline things.’) techcrunch.com, vice.com

Twitter’s API abused to match 17 million phone numbers and accounts

Actors with ties to nation state groups used lax practices on Twitter’s Application Programming Interface (API) to match 17 million phone numbers to Twitter accounts. The information is useful when trying to, for example, match protestors in the digital realm with their real life identities. Saudi Arabia was caught buying details of 6,000 from two Twitter employees for $30,000 last year (vol. 2, iss. 45.) As organisations open up their services to be accessed programmatically this sort of API abuse will increase. Facebook, for example, discovered lots of API mis-use following the Cambridge Analytica scandal. APIs provide much of the ‘glue’ that provide for seamless experiences. Keep an eye on their use, what data can be accessed via them, and where that access is from are crucial ‘non-functional’ aspects that need to be considered. zdnet.com

Using monitor brightness to exfiltrate data from air-gapped networks

Some interesting research from Israel’s Ben-Gurion university where researchers have demonstrated the ability to exfiltrate data by making subtle manipulations to the brightness of computer screens. The team have priors, with plenty of example of other techniques for avoiding detection. Whilst the rate, and distance, at which data is transmitted is low, that could be sufficient for some clandestine operations. zdnet.com

In brief

Attacks, incidents & breaches

  • Google Takeout a bit too true to its name after potentially 1000s of private videos shared with complete strangers theregister.co.uk
  • Facebook’s accounts on Twitter and Instagram were hacked [via third-party social media management platform] cnet.com
  • Microsoft Teams suffers outage due to expired certificate, company says cnet.com
  • Deliveries stranded across Australia as Toll confirms ransomware attack zdnet.com

Threat intel

  • 5 new vulnerabilities [in Cisco products] expose the ‘backbone’ of an enterprise network to data theft cyberscoop.com
  • ‘EKANS’ Ransomware appears to be work of cybercriminals, targets Industrial Control Systems wired.com
  • This crafty malware makes you retype your passwords so it can steal them zdnet.com
  • BEC Scammers’ Interest in the Real Estate Sector Rises bleepingcomputer.com

Security engineering

Internet of Things

  • This is not Huawei to reassure people about Beijing’s spying eyes: Trivial backdoor found in HiSilicon’s firmware for net-connected cams, recorders theregister.co.uk
  • Bug in Philips Smart Light Allows Hopping to Devices on the Network bleepingcomputer.com

Privacy

  • Out of Control: How consumers are exploited by the adtech industry - and what we are doing to make it stop forbrukerradet.no
  • US agencies using phone location data for immigration enforcement, report says cnet.com

Mergers, acquisitions and investments

  • HPE acquires cloud native security startup Scytale techcrunch.com
  • Forescout goes for $1.9 billion in private-equity acquisition cyberscoop.com
  • Netskope raises another $340 million from venture capital crowd cyberscoop.com

And finally

Be my valentine

Some might fine punnery from @TashJNorris this week delivering some valentine-themed security awareness one-liners. Have you received any phishing emails recently? Because you are quite a catch. @TashJNorris

Also

Chip in to buy corp.com with me?

krebsonsecurity.com